NLHB : A Non-Linear Hopper Blum Protocol 



Mukundan Madhavan^, Andrew Thangaraj^, Yogcsh Sankarasubramaniam^, and Kapali Viswanathan^ 

^ Indian Institute of Technology, Madras 
^ HP Labs India, Bangalore 



Abstract. In this paper, we propose a Hght-weight provably-secure authentication protocol caUed 
the NLHB protocol, which is a variant of the HB protocol [1]. The HB protocol uses the complexity of 
decoding linear codes for security against passive attacks. In contrast, security for the NLHB protocol 
is proved by reducing passive attacks to the problem of decoding a class of non-linear codes^ that are 
provably hard. We demonstrate that the existing passive attacks ([2], [3]) on the HB protocol family, 
which have contributed to considerable reduction in its effective key-size, are ineffective against the 
NLHB protocol. From the evidence, we conclude that smaller-key sizes are sufficient for the NLHB 
protocol to achieve the same level of passive attack security as the HB Protocol. Further, for this 
choice of parameters, we provide an implementation instance for the NLHB protocol for which the 
Prover/ Verifier complexity is lower than the HB protocol, enabling authentication on very low-cost 
devices like RFID tags. Finally, in the spirit of the HB"'" protocol, we extend the NLHB protocol to 
the NLnB""" protocol and prove security against the class of active attacks defined in the DET Model. 
Keywords: HB protocol, LPN problem. Secure and Efficient Authentication Protocol, Passive at- 
tacks, RFID tags. 

1 Introduction 

The HB protocol was proposed in [1] as a low-complexity authentication algorithm that can be computed by 
human users. Its security is based upon the hardness of the "Learning Parity in Noise" (LPN) problem [4], 
which is known to be NP-Hard. Though the protocol is secure against passive attacks, where the attacker 
is allowed only to eavesdrop on protocol communications, it was found to be vulnerable to active attacks, 
where the attacker could send spurious messages to the protocol participants. Having discovered this 
efficient active attack against the protocol, Juels and Weis [5] proposed the HB"^ protocol as an alternative 
that could resist active attacks. The added complexity of the HB+ protocol and the protocol's need for 
generation of many random numbers by the Prover rendered it more suitable for low-complexity RFID 
tags rather than human users. 

Cryptanalysis of the HB authentication protocol has resulted in efficient solutions to the LPN problem. 
Notably, Levieil and Fouque [2] proposed the LF2 algorithm, which is an improved form of the BKW 
algorithm [6] for solving the LPN problem. Later, Carrijo et al. [3] proposed a probabilistic passive attack 
against HB and HB+ protocols. These new solutions have significantly reduced the effective key-size of 
the HB protocol family that depend on the hardness of decoding linear codes for security against passive 
adversaries. 

In this paper, we define and consider the UNLD problem, which is a decoding problem for a specific 
class of non-linear codes. We prove hardness of UNLD by reducing the LPN problem to the UNLD problem. 
Following this, we propose the NLHB protocol, which is a carefully constructed variant of the HB protocol. 
Security of NLHB against passive attacks is proved by reduction from UNLD to the passive attack problem. 

The basic idea behind the NLHB protocol is the use of a carefully-chosen non-linear Boolean function 
on the linear parities generated in the HB protocol. The use of this non-linear function does not affect 
the provable security of NLHB as a reduction from the provably-hard UNLD problem still works under 
a simple uniformity condition satisfied by the function. On the practical side, the use of the non-linear 
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function considerably weakens the effectiveness of passive attacks like LF2 [2] that depend on the linearity 
of the parities. Therefore, key efficiency is higher in NLHB when compared to HB. 

For implementation, we demonstrate a certain quadratic form chosen from the general family of func- 
tions that wc propose for the NLHB, which presents a specific low-cost candidate for the protocol. Using 
this candidate function, the complexity of the NLHB protocol is low enough that it can be implemented 
in low-cost devices such as RFIDs. Finally, we show that the Prover/ Verifier complexity of NLHB protocol 
can be lower than that of the HB protocol because of the use of smaller keys. 

Active attacks similar to those on the HB protocol arc possible on the basic NLHB protocol. We 
demonstrate that the basic NLHB protocol can be extended to an NLHB+ protocol, in the spirit of HB+, 
for security in some active attack models. We show that the reductions for the HB+ protocol as shown 
in [7, 8] work for the NLHB+ protocol as well. 

In summary, the main contribution of this paper is a low-cost, provably-secure extension of the HB 
protocol through the use of simple non-linear functions on parities. Because of the non-linearity, the pro- 
posed NLHB protocol has better resistance to known passive attacks on the HB family resulting in higher 
key efficiency and cheaper implementations. Also, the NLHB protocol can be modified in the spirit of the 
several known modifications of the HB protocol to obtain better security against different classes of active 
attacks. 

The paper is organized as follows. In Section 2, we give a brief introduction on the HB and HB+ 
protocols, related security models and the "Learning Parity in Noise" (LPN) problem. In Section 3, we 
describe the UNLD problem, a type of non-linear code decoding problem and prove its NP-Hardness. This 
is followed by a description of the NLHB protocol and its security proofs. Section 4 contains discussions 
on the resistance of the protocol to passive attacks and its Prover complexity. This is followed by the 
proposition of the NLHB+ protocol and its security proofs in Section 5. Section 6 concludes the paper. 

2 The HB And HB+ Protocols 
2.1 HB Protocol 

The HB protocol is a symmetric-key authentication protocol. The Prover and Verifier share a random 
A:-bit secret key s ^. The protocol has two public probability parameters e, e' € ]0, ^[ such that e < e'. 
To authenticate, the Verifier sends a random fc-bit challenge vector a. The Prover, in turn, calculates the 
binary dot-product s.a and replies to the Verifier with z = s.a + w, where v is a Bernoulli random variable 
that takes the value 1 with probability e and -I- denotes XOR addition. This process is repeated n times. At 
the end of n repetitions, the Verifier returns an "Accept" message iff atmost e'n responses are "wrong" , i.e, 
different from dot-products of the secret and the corresponding challenges. This process, which constitutes 
one authentication session can be parallelized as shown in Figure 1. 

In the parallelized form, the Verifier challenges the Prover with a random k x n matrix, to which 
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Fig. 1. Parallelized version of the HB protocol 
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the Prover responds with z = sA + v. Here, the bits of the vector v are all i.i.d Bernoulli random variables 
with parameter e and the multiplication between the vector s and A is over the binary field GF{2). The 
response vector z is a n-bit vector and the Verifier responds with "Accept" iff (i(z, sA) < e'n, where d{.) 
denotes Hamming distance. The parameters e,e', and n are fixed so that both the probability of rejecting an 
honest Prover as well as the probability of positively authenticating an attacker giving random responses 
are negligible ([2], Figure 2). The HB Protocol has been proven secure in the Passive attack model as 
defined below. 

Definition 1 (Passive attack model ([5], [7])). In this model, the adversary algorithm is two-phased. 
In the first phase (called the query phase), the adversary has access to the transcripts from an arbitrary 
number of authentication sessions between an honest Prover and Verifier. In the second phase (called the 
cloning phase), the adversary tries to impersonate an honest Prover to the Verifier. 

However, the HB protocol is not secure against active attacks [5]. 
2.2 HB+ Protocol 

The HB protocol is susceptible to a simple active attack. In this attack, the attacker repeatedly 
challenges an honest Prover with the same challenge, and by majority vote over these multiple responses, 
decides (with high confidence) on the noise-free response. This is repeated for k linearly independent 
challenges, following which, the secret key is easily found using a Gaussian elimination over the system of 
linear equations defined by these k challenge-response pairs [5]. Thus, the active attacker need not solve 
the LPN problem to attack the HB protocol. 

To counter such attacks, Juels and Weis [5] proposed the HB+ protocol (Figure 2). Instead of a single 
secret, the Prover and Verifier share two k-hit secret keys Si and S2 In its parallel form, the HB"*" protocol 
can be described as follows. The Prover starts an authentication session by sending a random "blinding" 
matrix B to the Verifier, which in turn replies with its own random challenge-matrix A. On receiving A, the 
Prover responds with z = SiB-|-S2^-l-v. Here, A and B are kxn matrices, and v has the same definitions 
as in the HB protocol. The Verifier responds with an "Accept" decision iff d{z, s^B + S2A) < e'n. Now, 
when an active attack is mounted, the attacker still has to solve an LPN instance on the matrix B. 

The HB+ protocol is secure against both passive attacks as well as active attacks in a model known 
as the "DET" attack model. 

Definition 2 (DET Attack Mo del ([5], [8])). In this model, attacks are two-phased. In the first(query) 
phase, the adversary can interact with an honest Prover an arbitrary number of times. In second (cloning) 
phase, the adversary interacts with the Verifier and attempts impersonation. 

^ The sizes of these secret can be different. This paper shall consider them to be of same size without loss of 
generality. 
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Significance Of The "DET" Model: Juels and Weis discuss the significance of the "DET" model in [5], 
[Appendix A]. Even though this model does not include Man- In- Middle attackers and does not give an 
attacker access to Verifier decisions at the end of authentication, it is an important security model in a 
context where the adversary has to forge a valid Prover without the attack being detected. Since attacks 
in the more powerful prevention-based models like GRS-MIM [9] may not be undetected attacks, the 
prevention-based model is not the ideal model in all scenarios. As an example, in a setting where the 
Verifier would report repeated authentication failures from a Prover, the detection-based model is more 
suitable. 

2.3 The LPN Problem and Passive Attacks 

Definition 3 (LPN Problem [5]). Let s be a random binary k-bit vector. Let e g]0, ^[ be a constant 
error parameter. Let A be a random k xn matrix, and let v be a random n-bit vector such that wt(v) < en, 
where wt(v) denotes the Hamming weight of v. Given A, e and z = {sA) + v, find a k-bit vector s' such 
that d{z, s'A) < en. 

For large n, this is equivalent to finding the vector s. The LPN problem has been proven to be NP- 
Hard [4] and is conjectured to be average-case hard [1]. The BKW algorithm, which was the best-known 
algorithm to solve the LPN problem when the HB protocol was proposed, has a high complexity and 
requires a large number of challenge-response pairs {A,z) to obtain a solution. The LF2 algorithm [2], 
which is an improvement over the BKW algorithm, has considerably lesser complexity and needs lesser 
challenge-response pairs for its solution. Later, a probabilistic attack on the LPN problem was proposed 
by Carrijo et al. in [3]. These attacks have reduced the effective key-size of the HB protocol, necessitating 
higher key-sizes. We first describe the LF2 attack, followed by the attack proposed by Carrijo et al. 

When the key-size is high, exhaustive search over the space of all possible keys is intractable. So, 
the LF2 attack aims to estimate few bits of the key at a time. The attack involves adding the columns 
of the challenge-matrix A (and the corresponding responses) so that only the first few (say b) rows have 
non-zero entries in the resulting matrix. This addition causes two different changes. First, adding two or 
more noisy responses results in an increased chance of the new response being wrong. So, the apparent 
Bernoulli parameter in this new set of equations is higher. However, the second and more important change 
is that, since only the secret bits corresponding to the b non-zero rows play a role in the multiplication s^, 
the attacker can now find these b bits in isolation by running an exhaustive search over 2^ possibilities. So, 
by running an exhaustive search over a space of size 2'' (which is much smaller than 2''), the first b bits 
of the original key can be found. Repeating this process for the second b rows, and so on, gives the whole 
key. Thus, the attack depends heavily on the fact that the Prover's response is a noisy version of some 
codeword from the linear code having A as its generator. 

A second new passive attack was also proposed by Carrijo et al. [3]. This attack tries to pick noise- free 
bits from the response vector and find the key through Gaussian elimination on the system of equations 
formed from these bits alone. So, this attack too, depends on the Prover's response being the noisy version 
of a codeword of the linear code generated by A. 

As a consequence of these attacks, a LPN instance using as many as 512 bits of secret can be attacked 
with a complexity of just 2*° operations. 

3 The UNLD Problem and the NLHB Protocol 

The main idea in this paper is to replace the linear parity generation part sA in the HB protocol with 
a non-linear version f{sA) for a suitable public function /. The following characteristics are desirable for 
such a function /: 

1. The function /, assumed to be public, must allow for the reduction of hardness from decoding problems 
to passive attacks on the protocol. 
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2. The function / must be simple enough to implement on low-cost devices. 

3. The function / must provide better resistance to known passive attacks that solve the LPN problem. 

4. The function / should allow extensions such as HB+ for security against active attacks. 

We now describe a specific class of non-linear Boolean vector functions and discuss some of its properties 
that will be used in the security reductions. We discuss the other characteristics like implementation-cost 
and passive attack resistance in later sections. 

3.1 The Function / 

Let D and p be positive integers such that D = n — p {n \s as described in the HE protocol) . We propose 
the following construction for the NLHB protocol function /. Each bit yi\i G [1, .., Z? = n — p] of the output 
y = /(x); y £ {0, 1}-^, x e {0, 1}" will be computed as 

yi=Xi+g{[xi+l,..,x^+p]), (1) 

where the bits of x and g is a p-bit to 1-bit Boolean function containing strictly non-linear 

terms. Below, we list some important properties for this class of functions. 

1. / : {0,l}"^{0,ir 

2. / is a no n- linear function. 

3. For uniformly distributed x 6 {0, 1}", /(x) is uniformly distributed in {0, 1}^. 

A proof of Property 3 is provided in Appendix C. Intuitively, it can be said that the function ^([xi+i, .., Xi+p]) 
causes the output bits yi to be non-linearly related to x and the component Xi helps in balancing the output 
bit yi. 

As a specific example, the function defined by 

yi = Xi + Xi+iXi+2 + Xi+2Xi+s. + Xj+sXi+i, 1 <i < D (2) 

is a part of this function family when using p = 3. The uniform distribution property for p = 3 can 
be readily verified by exhaustively determining the joint distribution of j/i+i, 2/i_|-2, yi-1-3} for a fixed i. 
When we set p = 3, the function / will take a n-bit vector x and map it onto a Z? = (n — 3) bit response 
vector. As we can see, members of this family like the one described in (2) require very low additional 
complexity (only 3 AND gates and 3 XOR gates in this case) for implementation and their use in any 
protocol's implementation will add very little complexity. This can easily be accomodated into any RFID 
tag, however cheap. 

In the next section, we describe how this function family can be used to create a robust protocol. In 
later sections, we use our specific candidate to demonstrate how their use in the protocol leads to increased 
passive attack resistance while still maintaining low implementation complexity. However, we would like to 
point out that our proofs of security hold for all functions in the general class of functions in (1). 

3.2 UNLD Problem 

Suppose Akxn is the generator matrix of a linear code. Then all vectors of the form sA are codewords of 
this code. When we apply the function / to these codewords s^, i.e, we compute f{sA), the set of vectors 
{/(siA)}!^]^ at the output can be viewed as a non-linear code. 

We now define the UNLD problem, which (in words) is the problem of decoding the class of non-linear 
codes defined by / and A as {/(siA)}^^j^. 

Definition 4 (UNLD Problem). Let s be a random k-bit binary vector. Let e s]0, ^[ be a constant error 
parameter. Let A be a random kxn binary matrix and let v be a random D-bit vector such that wt(v) < eD, 
where wt(v) denotes the Hamming weight of w. Given A, e and z = /(sA) + v, find the k-bit vector s. 
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We prove the hardness of the UNLD problem by reducing a random instance of the LPN problem, 
which is known to be NP-Hard to solve, to the UNLD problem. To show the reduction, wc consider an 
existential algorithm X that can solve the UNLD problem. We construct an algorithm S*, which can solve 
a random LPN instance, when given access to X. 

Theorem 1 (LPN reduces to UNLD). Let A he a random k x n matrix, v' be a {n — p)-bit Bernoulli 
noise vector, and s be a random k-hit vector. Suppose there exists a probabilistic polynomial-time (PPT) 
algorithm X with input {A,y = f{sA) + v') that can output s with probability atleast S. Then, there also 
exists a PPT algorithm S that can solve a LPN problem instance (Gkxn'-, z = mG + v) for randomly chosen 
m, Bernoulli noise vector v and n' < , k < n' with probability at least S. 

Proof. Let z = [zi, z„'] and v = [«!,...,«„/] be the constituent bits of the vectors described above. The 
algorithm S, having access to algorithm X works as follows to solve a random LPN instance (G, z) passed 
to it. 

1. Pick ri for 1 < i < n' — 1 such that 7'i > {p — 1), X]"=7 ''i ^ ^ ^ P ^ 

2. Insert Bernoulli bits between bit Zi and z^+i of z for 1 < i < n' ^ I. This gives rise to the vector 

y{n-p) = [-2^11 bib2 ...bri, Z2, 6ri + l ■•■ ^ri+r2 j ^3 1 &n-p-n' , Zn']. 

3. Insert columns of zeros in between columns i and i + 1 of G (1 < i < n' — 1) to get the matrix A. 
Insert p columns of zeros after the last column of A. Now, the dimension of ^ is A: x n and A is of the 
form A = [giOO..Og200..0 gn'00--0], where gi are the columns of G. 

4. Pass (^,y) to X and get back m'. 

5. Return m' as the estimate of the LPN secret m. 

We now show that S succeeds with probability at least S. Consider the vector x = mA. We can see that 
X = [xiOO. .0x200. .0.T300.0....a;„'00..0], where [xi,X2, are the bits of x = mG. We also see that, since 

g has only non-linear terms (i.e each term in g is some kind of product of at least two input bits) and 

Ti > (p— 1), the vector /(x) can be written as /(x) = [.xiOO.. 0x200. .O.T3 00a;„'], as all the product terms 

from g go to zero. 

Let this new vector /(x) be called x'. So, the vector y is of the form x' + v' where 

v' = [vi, 6i62---^ri, ^2, •■• ^ri-i-r2 J bn-p-n' ^ ^n'] Hcrc, Vi arc thc Bernoulli bits since they are 

part of the LPN noise vector v and hi are picked to be Bernoulli bits. So, y = /(mA) + v', where v' is a 
Bernoulli noise vector. Hence, by definition, X will return m with probability at least 5. Since S succeeds 
whenever X succeeds, the probability of success of S is at least 5. □ 

We note that it is always possible to pick satisfying the condition in Step 1 for any n and n' < . As 
an example, one could initially fix = (p — 1); Vi. Then 'Y^ri = (n' — l){p — I) = n'p — p — n' + 1. Then 
one can add thc difference (n — p — n') — (n'p — p — n' + 1) = n — n'p — 1 (which is always positive because 
of thc upper bound on n') to say, ri, giving us a new set {ri\ satisfying the conditions in Step 1 for any n. 

3.3 NLHB Protocol 

Having established the hardness of the UNLD problem, we now propose the NLHB protocol that is 
based on this problem. Figure 3 shows one session of the NLHB protocol. Thc Provcr and Verifier share a 
fc-bit secret s. Thc Verifier transmits a random k x n challenge matrix A to the Prover. On receiving this, 
the Prover computes f{sA). Then, it computes z = f{sA) + v, where v is a noise-vector whose bits are 
all independently distributed according to the Bernoulli distribution with parameter e, just like the noise 
vector in thc HB protocol. Here sA is a n-bit vector and z is a D-hit vector. On receiving z, the Verifier 
checks whether rf(z, /(sA)) < e'D. Iff this is true, it returns "Accept". Here too, i > e' > e. Further since 
the noise- vector is of length D, D has to be large enough («1000) and {D,e,e') have to satisfy the conditions 
satisfied by the HB protocol parameters (rt,e,e')(see Figure 2 of [2]). For example, D = 1164, e = .25 and 
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Secret Shared s 
Prover Verifier 

< Choose A e {0, 1}'=''" 

zixij = /(syl) +v ? > "Accept" iff d(z, /(s^)) < e'L> 

Fig. 3. Parallehzed version of the NLHB protocol 

e' = .348 is a possible parameter set. 

Due to the non-linearity property of /, f{sA) is some unknown codeword of the random non- linear 
code {/(siA)}^^]^ and z is the noisy form of this codeword. To find the secret s, the attacker now has to 
decode this random non-linear code instead of the linear code with generator matrix A. We will show in 
Section 4.1 that existing passive attacks on HB protocol family do not work on our protocol. Our proofs of 
security are valid for a general class of functions. However, in Section 4, we demonstrate that, for certain 
choices of / within this family, the protocol complexity is very low. 

3.4 Security Proofs For NLHB In Passive Model 

The proof of security for NLHB in the passive model involves reductions from the UNLD problem to the 
forging of the NLHB protocol in the passive model. It is detailed in Theorems 2 and 3. These theorems are 
broadly based on the proof of security given for the HB protocol in ([7], [8]), with suitable modifications 
and additions to support the function /. Here, we first prove a technial lemma of our own, that is crucial 
to the proof of security. We then, use this lemma in the formal proof of our Theorem 2. Since the other 
parts of the proofs of Theorem 2 and 3 are similar to those in ([7], [8]), we simply give a brief outline here, 
and delegate the formal proving to the Appendix. 

We first explain some brief notations needed for understanding the proof. 

Notations In The Proof: 

1. The distribution ^s,e,/ is the distribution followed by the {kn + r')-length bitstrings in the transcript 
of one authentication session of the NLHB protocol (between honest Prover/Verifier) for a secret s and 
error-parameter e. In other words, it is the distribution followed by {A,z = f{sA) + v), where ^ is a 
random matrix picked from {0, l}'^'^" and v is a Bernoulli noise vector of length D. 

2. Ukn+D represents uniformly distributed {kn -\- Z?)-length bitstrings. In other words, a bitstring S from 
Ukn+D satisfies Pr[S' = g] = 2-^^"+^) ; Vg e {0, 

3. As already seen in Theorem 1, Algorithm X denotes a UNLD solver algorithm. 

4. Algorithm Z is an algorithm that is capable of forging the NLHB protocol in the passive model. 
Given q bitstrings from the distribution As,tj, and a challenge matrix Ai^ Z can give a corresponding 
response zi that will generate an "Accept" response from the NLHB Verifier with non-negligible success 
probability. In other words, d(zi, f{sAi)) <u = e'D with non- negligible probability. 

5. The Advantage of Z (denoted Adv^^"^~^**'"'''{k,€,u, f j) is defined as the difference between proba- 
bility of success of Z and the probability of success of an attacker who gives random responses to the 
Verifier. Since the latter probability is Pfa, the probability of false-accept, and is negligible for large 
D, the advantage of Z is almost the same as its probability of success. The advantage is a function of 
protocol parameters k, e and u. 

6. We also define an intermediate algorithm Y for the purpose of the proof. The algorithm F is a distin- 
guisher algorithm that can successfully distinguish between the distributions .4s, cj (for secret s) and 
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Ukn+D- Given q bitstrings from either distribution (which one, is unknown to Y), the algorithm Y pro- 
cesses the bits in some way and outputs 0/1. The probabihty that Y outputs 1 when the input is As.ej 
(for a random s) and the probability that Y outputs 1 when the input is Ukn+D differ significantly. 
That is, 

\Pr[s^ {0, 1}'' : r-^-.«'/ = 1] - Pr [y">"^+° = '^] \ > ^ 

for some non-negligible probability S. This difference in probabilities of Y outputting 1 for the different 
distributions can be used to distinguish these two distributions. In the above equation, Y^''"+'^ implies 
that the algorithm Y is inputted bits that follow the distribution Ukn+D- The notation Y^^'^'f has a 
similar meaning. 

Note that the difference between the probabilities above is for a random key s. In other words, it is an 
average over all possible keys. 

The reduction is in two steps. 

1. In the first step (given in Theorem 2), we prove a reduction from the UNLD problem to the problem 
of distinguishing between the distributions Ukn+D and As,ej, i-C we construct X using Y . 

2. In the second step (Theorem 3), we provide a reduction from the problem of distinguishing between 
these distributions to the problem of forging the NLHB protocol, i.e, we construct Y using Z. 

Thus, by using Y as an intermediate, we prove a reduction from the UNLD problem to forging of NLHB 
protocol. 

3.4.1 Theorem 2 Proof Outline 

The algorithm X uses Y as follows to solve the UNLD problem. It first estimates p, the probability that 
Y outputs 1 when given access to Ukn+D- To do this, it generates q instances of {kn + D) random bits 
and passes them to Y (thus simulating Ukn+D to Y) and obtains F's binary response. By repeating this N 
times (for reasonably large N) and finding the fraction of Is in the output, X gets an estimate for p. Next, 
X takes a bitstring (A, z) from As^ej, to which it has access, by definition. Suppose X wants to find Sj, 
the i*'' bit of the secret s. X adds a random vector c to the i*^ row of A. Let us call the resulting matrix 
A' . Also, let hybi denote the distribution followed by the bitstring (A',z). X passes q different instances 
of hybi (for a given i) to Y and obtains its binary output. Like before, it repeats this process N times and 
estimates pi , the probability that Y outputs 1 when its input is hybi - 

If Si = 0, it is easy to see that hyhi = As,ej- Further, we prove in Lemma 1 below that if = 1, then 
hyhi = Ukn+D- Since, by definition, Y outputs 1 with significantly different probabilities for Ukn+D and 
-^s.e./, Pi will be very close to p if = 1 (meaning hyhi = Ukn+D) and away from p ii Si = 0. So, by 
estimating the probability of Y outputting 1 and comparing it with p, X can deduce Si- By repeating this 
procedure for all i € [k], X can solve the UNLD problem. We have shown this process in Figure 4. The 
subscripts of the passed values in the figure denote the qN different instances being sent. We have omitted 
these subscripts in the above outline for the sake of readability. A more formal treatment is given in the 
Appendix. 

Lemma 1 {hybi ~ Ukn+D if Si = !)• Let A he a randomly chosen k x n matrix. Let s he a random k-hit 
binary secret vector. Further, assign z = f{sA)+v, where the hits of-v are i.i.d Bernoulli distributed. Now, 
let c be a randomly chosen (independent of all other factors) n-bit binary vector. For an arbitrary i 6 [k], 
let A' denote the matrix formed by modifying only the i*'* row of A as {A)i = {A)i + c. If hyhi denotes the 
distribution of the bit-string {A',z), then hybi = Ukn+D if Si = 1- 

Proof. Consider the conditional probability Pr[z = r | A' = A] for some A and an arbitrary r e {0, 1}^. 

Pr[z = r\A' = A]^ Pr[/(sA) + v = r | A' = i] 
= Pr[/(syl' + c) + V = r I A' = i] (Since s^ = 1) 
= Pr[/(si + c) + V = r] 
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W = [b\,.., b],] X decides = I J '] p^'^/^^^ 

Pi = wt(^) 



Fig. 4. Passing of Strings in the Proof of Theorem 2 



We see that since c is chosen at random, independent of the other variables, sTl + c varies uniformly in 
{0, 1}". Consequently, f{sA + c) varies uniformly at random in {0, 1}^ by Property 3 of /. So, we have 

Pr[z = r\A' = A]= Pr[/(si + c) + v = r] = 2'^ (3) 

Further, 

Pr[z = r] = Pr[z = r | v = x]Pr[v = x] 

X 

= Pr[/(sA) = r + x]Pr[v = x] 

X 

Since A is chosen at random and due to Property 3 of /, we have Pr[/(s^) = r + x] — 2^^. So, 

Pr[z = r] = ^ 2--°Pr[v x] = 2^^ (4) 

X 

From (3) and (4), we see that z is independent of A'. So Pr[A' = A,z = r] = Pi[A' = v4]Pr[z = r] = 
2-(fcn+D) ^}jis holds for any arbitrary r G {0, 1}-'', hybi = Ukn+D if Si = 1. 

Since the function / plays an important role in this lemma, we have presented it here. Since the remaining 
proof of Theorem 2 is not dependent on the function /, and the proof is adapted from [8, 7], we merely 
state the theorem here. Please refer to Appendix for detailed proofs. 

Theorem 2. (Reducing UNLD to Distinguishing ^s,e,/ Cind Ukn+o)' Suppose there exists a probabilistic 
polynomial-time algorithm Y taking q bitstrings of an unknown distribution (either As,ej or Ukn+o) o,nd 
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outputting 0/1, running in time t, such that the probability of outputting 1 when its input is drawn from 
Ukn+D cind when its input is drawn from As,ej differ by at least S, i.e 

\Pr [s ^ {0, 1}'' : Y-^'^-'f = l] - Pr = l] | > ^. 

Then there exists X taking q' = 0{q.S^^log{k)) bitstrings of As,ej running in time t' = 0{t.k.S-^log{k)) 
such that 

Pr [s ^ {0, 1}'' : X^--^-f = s] > S/A. 

Proof. Please refer Appendix A. 
3.4.2 Theorem 3 Proof Outline 

Having proven the hardness of of the distinguisher problem, we will now reduce it to the passive attack 
problem, thus proving the hardness of the passive attack problem. The distinguisher algorithm Y can be 
constructed using algorithm Z as follows. The algorithm Y takes q bitstrings from its unknown distribution, 
and passes them to Z. In each bitstring, Z treats the first kn bits to be the challenge matrix, and the next 
D bits to be the corresponding response. This completes the query phase of Z. Now, Y takes one last string 
{A, z) from the unknown distribution. It passes A, the first kn bits of the string, to Z as a challenge. Let z' 
be the response that Z gives Y to this challenge. Then, it can be shown that if the input distribution had 
been Ukn+D, then it is very unlikely that z' and z are near each other in terms of Hamming distance. On 
the other hand, if the distribution had been As,ej, then these two are very likely to have Hamming distance 
below a threshold because of certain properties of the distribution of Z. So, if Y outputs 1 whenever the 
Hamming distance d{z',z) falls within an appropriately set threshold, the probability of Y outputting 1 
for the two distributions will vary significantly, thus fulfilling its requirements. This process is shown in 
Figure 5. Again, we state only the formal theorem here, and give the complete proof in the Appendix. 
Using this proof, and the reduction from algorithms X to Y in Theorem 2, we have a reduction from the 
UNLD problem to the passive attack problem. So, we conclude that the passive attack problem is hard. 













Bitstrings from 










unknown distribution 




Y 


Z 






(Distribution 


Challenge A 


(NLHB Forger) 


{Ukn + D or As,e,f) 




Distinguisher) 


(i,z) 


Response z' 





Y outputs 1 if d(z, z') < e"D where e" is such that e' - 2e'e + e < e" < i 
Fig. 5. Passing of Strings in the Proof of Theorem 3. 



Theorem 3. (Reduction From Distinguishing As.e.f and Ukn+D To Forging NLHB Protocol in Passive 
Model): If Adv^^^^~''^'^^"''^''{k, e, u, f) = 6 is non-negligible for some polynomial time adversary Z , then the 
UNLD problem can be efficiently solved. 

Proof. Refer Appendix A. 
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4 Implementation and Efficiency 



In this section, we consider the specific low-cost candidate for / given in (2) and demonstrate how existing 
passive attacks on tlie HB protocol fail against the NLHB protocol. Then, we compare the Prover complexity 
of NLHB and HB protocols and demonstrate that the NLHB Prover is required to carry out lesser operations 
when compared to a HB prover that achieves the same level of security. 

4.1 Resistance Against Current Passive Attacks 

Using the specific / in (2), we will show how the existing LF2 attack on LPN is ineffective on the NLHB 
protocol. Let x = [xi, a;„] ^ sA ~ [s.ai, s.an], where [ai,...,a„] are columns of A. Let y = /(x). 
Then, the passive adversary to NLHB has access to z = y + v. 

As explained in Section 2.3, the LF2 (or BKW) algorithm works by repeatedly adding the columns 
of the matrix A and obtaining the response corresponding to this new matrix by adding the responses 
corresponding to the added columns. We examine the result when the attacker does one column addition. 
Let the attacker modify A into A' = [ai, aj + ak, a„], i.e, he adds the /c*'' column to the j*'' column. 
The corresponding matrix product between s and A' will be x = [xi, X2, xj + x^^ Xn], i-C x has the 
same bits as x except at the j*'' position, where it is Xj + Xk- Let y ~ /(x). Now let us compare the 
relation between the unnoised responses y and y. As can be seen, the only output bits getting affected 
by the change of matrix are the ones with indices {j — 3), (j — 2), (j — 1), j. We readily see the following 
relationships. 



yi-3 


= ^3- 


-3 


+ Xj-2Xj-l + Xj-iXj + 


XjXj-2- 




yj-2 




-2 


1 Xj — i-Xj 1 X J X J 1 Xj 


+ lXj-l. 








-1 


-\- XjXj-^i + Xj^iXj-^2 ~^ 


Xj+2Xj 




Vj 


= X,j 


+ 


Xj + lXj+2 + Xjjf-2Xj+3 + 


Xj+3Xj + l- 






= Xj- 


-3 


+ Xj^2Xj-l+Xj^l{Xj ^ 


- Xk) + {Xj ' 


\- Xk)Xj^2 






-2 


+ Xj^i{xj + Xk) + {xj ^ 


- Xk)Xj + i + 


Xj-\^\Xj — i 






-1 


+ {Xj + Xk)xj+i + Xj + iXj+2 + Xj+2 


{Xj + Xk) 






+ 


Xk + 2:^ + 1X^+2 + Xj+2Xj+3 + Xj+^Xj+i. 



Let us denote the errors between these corresponding bits as Ej^^, Ej-2, Ej-i, Ej. From the above equa- 
tions, we get 

Ej-3 = yj-3 + Fj-s = Xj-iXk + XkXj-2, 

Ej-2 = X-j-lXk + XkXj+l, 
Ej-l = X-j + iXk + XkXj+2, 

Ej = Xk- 

Each error term above is an unknown bit to the attacker, since he does not have access to either a noised 
or un-noised version of these terms. So, the attacker has to guess the error bits Ej^^, Ej-2i Ej^i, Ej 
that need to be added to the new response to get the estimate of responses corresponding to the new 
matrix. The amount of uncertainty involved in guessing these bits can be found from the entropy of 
[Ej-3, Ej-2, Ej-i, Ej]. Since the bits Xi arc uniformly distributed, it can easily be seen that this entropy 
is equal to 2.5 bits. So each time a column is added, the attacker has to guess 2.5 bits on an average. Since 
there are many such additions needed in the LF2 attack, this attack is no longer feasible against the NLHB 
protocol. In Table 1, we give the values of the entropy of the bit- wise error terms for different choices of 
p ~ 2, 3, 4 and functions. For p = A, we have shown only few functions out of the many that achieve the 
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p 


Function Achieving Maximum entropy for given p 


Maximum Entropy Achieved for given p 


2 


Vi ^ Xi + Xi+lXi+2 


2 


3 


Vi ^ Xi + Xi+lXi+2 + Xi+iXi+3 


2.5 




Vi ^ Xi + Xi+iXi+3 + Xi+2Xi+3 


2.5 




Vi = Xi + Xi+lXi+2 + Xi+2Xi+3 + Xi+3Xi+i 


2.5 


4 


Vi ^ Xi + Xi+iXi+4 + Xi+2Xi+3 


3 




Ui ^ Xi + Xi+iXi+4 + Xi+2Xi+4 + Xi+3Xi+4 


3 




Vi — Xi + Xi+iXi+4 + Xi+2Xi+3 + Xi+3Xi+4 


3 



Table 1. Maximum Entropy Achieved Over All Functions For A Given p and The Function Achieving This 
Maximum 



maximum entropy of 3. As we can see, the entropy increases with increase in p, meaning that LF2 attacks 
are harder for higher p. 

Similar arguments can be given for the infcasibility of the Imai [3] attack, that also relies heavily on 
linearity. The Imai attack attempts to isolate bits of the response vector that are noise-free and process 
them to obtain the secret key through Gaussian elimination. However, due to the nonlinear nature of /, 
Gaussian elimination is not possible with NLHB. Instead, the attacker must solve around a system of 
(k + j) nonlinear equations in k variables (one for each bit of the secret key). Considering that the number 
of variables is large, it would be interesting to see if such an attack that involves repeatedly solving systems 
of nonlinear equations can be efficiently mounted. 

The infeasibility of passive attacks on the related HB protocol indicates that the NLHB protocol can 
achieve 80-bit security using keysizes smaller than 512 bits, which is the number of key bits needed by the 
HB protocol. Added to this, the fact that no passive solutions exist to the problem of decoding the random 
non-linear codes described here (and for decoding of random non-linear codes in general) implies that it is 
reasonable to use keysizes very close to 80 bits with this protocol. However, as a safe value for the key-size, 
we suggest using 128-bit keys as secrets to resist all known passive attacks on the HB protocol. 

4.2 Comparison of Prover Complexity of NLHB and HB 

Since each scalar multiplication in the binary field requires one AND gate and one binary addition requires 
one XOR gate, we calculate the Prover (or Verifier) algorithm's complexity in terms of binary additions 
and scalar multiplications. Further, since the complexity involved in adding noise is the same in both 
protocols, we compare the complexity involved in the calculation of the un-noiscd responses in the Prover 
(or Verifier). 

The response calculated by the HB protocol for a given random matrix challenge A^xn is given by 
z = sA + V. The matrix product requires kn scalar multiplications and {k — l)n (binary) additions for 
its calculation. Assuming that e = .25 and e' = .348, the length of the final vector to which noise is added 
should be 71 = 1164 [2]. The value of k for the HB protocol to achieve 80-bit security is around k = 512. 

In the NLHB protocol, we have a. k x {D + p) challenge-matrix A which we use to find s^. This requires 
k{D + p) scalar multiplications and (fc — ^){D +p) additions. Further, for the NLHB protocol, we have to 
evaluate the function / over this vector. If we assume that we use the function / in (2) (with p = 3), we 
require 3D scalar multiplications and 3D additions for evaluating the function /. So to calculate f{sA), 
we need k{D + 3) + 3D = kD + 3k + 3D muhiphcations and 3D + {k ~ 1){D + 3) = kD + 2D + 3k - 3 
additions. Since we add a length-Z? noise vector in NLHB, D has to be 1164. 

For the sake of comparing complexities, if we assume a high-security version of NLHB which uses 
k = 512, then we see that NLHB needs a total of 600996 multiplications and 599829 additions, whereas 
HB protocol requires 595968 multiplications and 594804 additions. This approximately represents a 0.85% 
increase in the both the number of multiplications and additions. This shows us that even in comparison 
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k 


e 


e 


Size of Challenge Matrix 


Length Of Prover Response 


Scalar Multiplications 


Scalar Additions 


HB 


512 


.25 


.348 


512 X 1164 


n=1164 


595968 


594804 


NLHB 


128 


.25 


.348 


128 X 1167 


D=1164 


152868 


151701 



Table 2. Comparison of Prover/ Verifier Complexities between NLHB and HB for / with p = 3, False-Reject 
Probability Pfr = 2'*° and False-Accept Probability Pfa = 2"**'' and 80-bit security. 



to a HB protocol using the same keysize as the NLHB protocol, the addition in complexity due to the 
introduction of / is very small. 

However, with k = 128, the computation of noise-free NLHB response requires 152868 scalar multipli- 
cations and 151701 additions, which is far less than the number of computations needed for a HB protocol 
Prover to achieve the same level of security, which requires about 512 secret bits. 

5 NLHB+ Protocol : Extending NLHB To Achieve Security in "DET" Model 

Though the NLHB protocol is secure against a passive adversary, it is not secure against an active 
attacker. An efficient active attack similar to the one demonstrated against HB can also be mounted on 
the NLHB protocol. So, in the spirit of the HB+ protocol, we propose the NLHB+ protocol to provide 
complete security in the DET model. 

Figure 6 shows the NLHB+ protocol. The Prover and Verifier share two secrets Si and S2. Here, 



Secrets Shared 

Prover 

Chooses e {0,1}*''" 



ZlxD =/(siS)-H/(s2A)+v 

Fig. 6. Parallelized version of the NLHB^ protocol 

the authentication session is started when the Prover transmits a random kxn blinding matrix B to 
the Verifier, which responds with a random kxn challenge matrix A. The Prover responds with z — 
/(sii?) -|- /(S2A) 4- V, where / and v are as defined in the NLHB protocol. The Verifier replies with 
"Accept" iff d{z,f{siB) + /(saA)) < e'D. NLHB+ depends on the hardness of the UNLD problem for 
security against passive attacks. In addition, NLHB+ is secure against active attacks in the "DET" model 
as shown in the next section. 

5.1 Security Proof for NLHB+ In the "DET" Model 

The security proof for NLHB+ in the "DET" model is given in Theorem 4, which gives a reduction to 
active attacks on the NLHB+ protocol from the problem of differentiating .4s, cj and Ukn+D- Since the 
latter problem has already been proven hard, this proves the hardness of active attacks. The strategy for 
Theorem 4 is broadly based on the proofs given in [8] with appropriate modifications to accomodate the 
function /. So, we simply give an outline of the theorem and the theorem statement here. Please refer the 
appendix for the complete proof. 

First, we give some relevant definitions. 



Si, S2 

Verifier 

B 

•> 



~ Chooser e {0,1}'=^" 

> "Accept" iff d(z, /(siB) + /(S2A)) < e'D 
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1. The algorithm Zj^ is a polynomial-time NLHB''" active adversary. It is a two-phased algorithm. In its 
query phase, it takes a k x n random matrix B as input. It then responds with a challenge matrix A 
(which can be non-random) . It should then be given the response that would be given by a legitimate 
NLIIB+ Prover for this B and A, i.e, z = /(si_B) + /(S2A) + v for secrets Si and S2. In its challenge 
phase, Z+ first sends a random blinding matrix B to the NLIIB+ verifier. It then receives a challenge 
matrix A from the Verifier and generates response z that can generate "Accept" from the NLHB+ 
Verifier with non-negligible probability. 

2. Adv^^™ """^'^(fc, e, ti, /) denotes the advantage for an active adversary to the NLHB+ protocol. 
It is defined as the difference in probabilities of success of Z^ and a random attacker. Since the latter 
is PpA, the probability of false-accept, and is negligible for large D, the advantage is almost the same 
as the probability of success of Z^. The advantage is a function of the parameters k, e and u. 

5.1.1 Outline of Proof of Theorem 4 

The goal is to construct an algorithm Y that can differentiate Ukn+D from ^si.c./, which is the NLHB 
distribution with secret Si. To simulate a NLIIB+ Prover with two secrets to the algorithm Z+, Y generates 
a random vector S2 to be used as the second NLHB+ secret. Now, Y obtains the {kn + Z?)-length bitstring 
from the unknown distribution. We denote the first kn bits of this string as B and the last D bits as z. Y 
passes B to Z+, which responds with a challenge matrix A. Now, Y responds with z = z-|- f{s2.A). Note 
that if the input distribution had been ^si.e,/, this is exactly the response expected by for the secret 
pair (si, S2). This process if repeated q times to complete the query phase of Z^. 

In the challenge phase, the main trick used by Y is that of rewinding Z^. After receiving a blinding 
matrix B from Zj^^ it sends a matrix A'^^^ and receives response z*^-*-^ from Zj^. Now, it rewinds Z+ to the 
point where it sent B, and sends another challenge A'^'^^ and receives z'^' for the same B. By summing 
these responses z*^-*-^ and t^^K^ the effect of the unknown Si can be removed. This is because z® = z'-*-' + 7^^^ 
is simply a noisy version of z = /(s2^^^'') + /(s2^^^''). Now it is easy to make statements about the 
distance between these two vectors. It can be shown that in case the distribution is Ukn+D, the probability 
that these vectors are "close" (within a threshold distance) is low, and that if the distribution is As.t.f: 
then this probability is a non-negligible function of 5 (the advantage of Z^ ) , which is assumed to be non- 
negligible. So, Y is able to output 1 with very different probabilities for the two distributions, thus helping 
us differentiate them. The passing of strings in this algorithm construction is shown in Figure 7. Since we 
already know that UNLD reduces to the problem of differentiating these distributions, wc can now say 
that UNLD reduces to the active attack problem. So, the active attack problem is hard. We now state the 
formal theorem and give the complete proof in the appendices. 

Theorem 4. If for some polynomial-time adversary ^(it;^^^^^'^**'"^''(fc, e, u, /) is non-negligible, then 
the UNLD problem can be efficiently solved. 

Proof. Refer Appendix B. 

6 Conclusion And Future Work 

In this paper, wc have proven the hardness of a non-linear decoding problem that wc call the UNLD 
problem and proposed the NLHB and NLHB+ authentication protocols, which are variants of the HB and 
HB+. These new protocols have better passive attack security than the HB and HB+ protocols. They have 
a low-complexity and are most suited for RFID tags and other low-cost devices deployed in scenarios with 
attack monitoring. 

In the future, it would be interesting to see if the MIM attacks [9, 10] (part of a prevention-based attack 
model) on the HB family of protocols can be prevented by making appropriate changes to the NLHB 
protocol. This will give rise to a protocol that can be used in systems where the presence of attacks are not 



14 



(B,z) 



or 

■^si,e./ 



Pick random 33 



(NLHB+ attacker) 



Repeat q times. 



Query Phase of Z-j. 





B 
















Y 


Rewind 


(NLHB+ attacker) 





















Z® =/(S2A(l)) + /(S2A(2)) 

2 = z(i)+z(2) 
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Challenge Phase 



Fig. 7. Passmg of Strings in Theorem 4 Proof 



monitored. Another useful line of exploration would be to study if the NLHB protocol offers any advantage 
compared to other protocols in real channels, since noise is an intrinsic part of the protocol's design. 
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A Formal Security Proof For NLHB In Passive Model 

Theorem 2 : Reduction From UNLD Problem To Distinguishing As,t,f and Ukn+D 

Suppose there exists a probabilistic polynomial-time algorithm Y taking q bitstrings of an unknown dis- 
tribution (either As.e.f or Ukn+o) o,nd outputting 0/1, running in time t, such that the probability of 
outputting 1 when its input is drawn from Ukn+D o,nd when its input is drawn from As^ej differ by at least 
5, i.e 

\Pr [s ^ {0, 1}''^ : Y-^'-'-f = l]-Pr [yt^'="+" = l] | > <^ (5) 

Then there exists X taking q' = 0{q.5^^log(k)) bitstrings of As,ej running in time t' = 0{t.k.5-'^log{k)) 
such that 

Pr [s ^ {0, 1}'' : X-^-'^'f = s] > (5/4 
Algorithm X does the following: 

1. Pick N = 0{6-^log{k)). 

2. X chooses w coins for Y and uses these for the rest of the execution. ^ 

3. X runs F '^''"+° (w) N times to obtain a bit string b = [bi, bN]- Let p ~ -^^^ be an estimate for the 
probabihty that outputs 1. 

4. X obtains qTV samples {Ayj,Zyj),j = 1, ..,q; v = 1, .., of distribution ^s.e./- (9 samples per response 
bit from Y multiplied by the required N responses required from Y). For i E [k]: 

(a) Pick a random n-bit vector c^j- for j = 1, .., (?; v = 1, .., A^. Modify {A,jj)i, the z*'' row of A^^, as 
{Ayj)i = {Ayj)i + Cyj to gst & modlflcd matrix A[, .j. Pass the modified instance {A'^ ,j,Zyj) to Y 
for V = l,j = l,.--,9 to obtain its response b\. Repeat this for v = 1,...,N to get the bit-string 

b' = [b\, &5v]- Let Pi = '"^'^ be an estimate of the probability that Y returns a 1 when the i*'' 
row of Ayj;v £ [N],j e [q] are modified. 

(b) If |p, -p\>S/A set = 0, else set s- = 1. 

5. Output s' = (s'^, sj,). 

Note 1: There are three sources of randomness here. One is the randomness in the unknown key s. The 
second is the randomness present in the decisions made by the existential algorithm Y. This randomness 
is denoted by the w coins chosen for Y at the beginning of the above algorithm. Both the key s and the 
w coins are picked and held constant over the whole run of the algorithm. The third source of randomness 
comes from the picking of bitstrings from the distribution itself. 

Note 2: The difference in the probabilities of Y outputting 1 for the two distributions in (5), is an 
averaged quantity. It is averaged over the key s and also on the randomness in the algorithm Y itself. 
However, one run of the above algorithm only uses one instance of s and w. So, instead of using these 
averaged probabilities in our analysis, we should use the probabilities associated with the particular key 
and randomness w used with this run of the algorithm Y. We will refer to the probability of Y outputting 
1 when it uses these particular w coins as Pr[Y'^'"^+"{w) = 1] (Similarly Pr[r^=-'-/ («;) = 1]), i.e we use the 
argument w to denote a particular set of decisions followed by Y . 

Analysis of the Algorithm: 

From the algorithm, we see that p is an estimate for Pr[y'^'="+" (w) = 1]. Further, if hybi denotes the 
distribution of the {kn + D) bits passed to y by X in step 4(a), then pi is an estimate of Pr[y''y''' [w) = 1] . 
We now prove that for the chosen value of iV = 0{5^^log{k)), p and pi are very close estimates of these 
values. 

^ The coins act as the source of randomness in Y. In other words, the choosing of this coins can be thought of as 
Y following one set of probabilistic decisions in its functioning out of the many possibilities. 
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Consider Pr[| Pr[y'^'="+° (w) = 1] — P |< (5/16], i.e the probability of the event the actual value of 
Pr[y'^'="+" (?«) = 1] and its estimate are within (5/16 of each other. For ease of readability, let us denote 
Pr[y'^''"+"(u;) = 1] by Pru- 

Accuracy of Estimates pi and p: 

We know that p = Each bit of b follows a Bernoulli distribution with mean Pru. So, wt(b) 

follows a Binomial distribution with mean NPrij. So, 

Pr[| p - Pru |< (5/16] = Pr[| wt(b) - NPru |< NS/IQ], 
= VT[NPru - N5/1Q < wt(b) < NPru + NS/16], 
= 1 - Pr[wt(b) > NPru + NS/16] - Pr[wt(b) < NPru - N5/16]. 



By applying Chernoff bounds on this Binomial random variable, we have 



Pr[| p - Pru \< (5/16] > 1 - exp 



NS^ 



768Pr. 



u 



exp 



NS^ 



bUPru 



(6) 



Now, we use N = 0{5 ^log{k)). Let di be a large constant such that N < diS ^log{k). Applying in (6), 
we get 



ViWp-Pru |<(5/16] > 1- ( - 



By similar reasoning, we also have, 

Pr[|Pr,,,-p,|<,5/16]>l- 



]^ \ 512Pr 

k 



(7) 



(8) 



where Prhi is used to denote Pr [y'**'^' [w) ~ l] for case of readability. We know that, for two independent 
events El and E2, if Pr[£'l] > 1 - a and Pr[£'2] > 1 - fe, then Pr[£'l C\ E2] > I - a - h. Applying this 
here, we see that | p — Pru |< <5/16 and \Prhi — Pi\ < (5/16 (the latter for all i) hold simultaneously with 
probability 

k 



> 1 











'1' 




'1 


512Pr[, 


k 


+ 


k 





i=l 



'1 




'1' 




+ 


k_ 



Let / = min {^ggl;^, wsh^^ -' TesP^IT' sTsivIT' -' sTIP^It}- Then the above expression can 

be lower-bounded as 

> 1 - (2fc + 2) ' > 1 - 4fci~^ 

By choosing di sufficiently large, {di ~ 41, say), we have that (7) and (8) hold simultaneously with 
probability > (l - -p-) > ^ (for fc > 1). 

In summary we have that the following equations hold simultaneously with probability at least i. 



p--Pr[y^''"+"(w) = 1] |< (5/16 
Pr[Y''y''^{w) = 1] |< (5/16, l<i<k. 



(9) 
(10) 



Suppose Si = 1: 
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Now, consider the case where Si = 1. By Lemma 1, in this case, hybi — Ukn+D- So, if both (9) and 
(10) hold, then for the case of Sj = 1, we have 

\p^~-p\< 26/16 = 6/8. (11) 

Suppose Si = 0: 

Now consider Si = 0. Then, since the i*'' row of A'^ ^ never plays a role in the output, hybi ~ -^s.c./- 
Now let us bound | Pi — p | in this case. 
From the definition of Y , we have 

\Pr [s ^ {0, 1}'= : Y^^'^'f = l] - Pr = l] \ > 6. 

This is a bound on the difference between the probabilities on an average. Using a standard averaging 
argument, we now derive a bound for the difference between the probabilities of Y outputting 1 in each 
case for the given instance of s and w. 

Lemma 2. By a standard averaging argument, with probability > 6/2 over the choice of s and the random 
coins w, the following equation holds, 

\Pr \Y^'---i{w) = 1] - Pr [y'^'"'+"(w) = l] | > 6/2, (12) 

where the probabilities inside the equation are over the randomness involved in picking bitstrings from the 
distributions. 

Proof. We prove this Lemma at the end of this Theorem. 

Since we know that when Si = 0, hybi = it follows that Pr[y''2'''' (w) = 1] = Y'T:\Y^<'-'-f {w) = 1]. So, 

from (12), we have, 

\Pr [Y'^y''^ {w) = l]-Pr {w) = l] | > 6/2. (13) 

Rewriting (13), we have 

6/2 < \Pr [Y''y'''{w) = 1] ~pi+p^- Pr [r^'="+"(w) = I] - p + p]\ , 

< \P^-P\ + \Pr [Y''y^^{w) = l]-p,\ + \Pr [Y^>'"+"{w) = l] - p\ , 

< \p,-p\+ 6/16 + 6/16, 
assuming (9) and (10) hold. Finally, this implies 

\pi -p\> 6/2 - 2.6/16 = 3.(5/8. (14) 

So, if Si = 0, then \ Pi - p \> 36/8. 

So, in Step 5 of the algorithm X, if \pi — p\ < j = the estimated message bit is 1, else it is 0. Since 
(12) holds with probability atleast | and (9) and (10) hold with a further probability of .5, the probability 
that (11) and (14) hold is at least |. Hence, algorithm X succeeds with probability at least 6/4. □ 

Proof For Lemma 2 : Let R be the set of all possibilities for the key s and the w coins. Then, by 
our definition of Y, we have, 

P[s,w] |Pr[y^='-'^(u>) = 1] - Pr[Y^>'"+"{w) = 1]\ > 6. (15) 
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Let the subset R' C Rhe the set such that Vr' = {s',w') G R' , we have 

\Pr[Y^''.'.f {w') = 1] - Pr[Y^''^+^{w') = 1] \ < (5/2. (16) 

Then, in contradiction to Lemma 2, assume that the probabihty that r' is picked at random is atleast 1—6/2. 
Assuming that all r' are equally likely to be picked, this implies that J2{s' w')eR' Pris^w') > 1 — 6/2 and 
consequently, J2s.weR\R' ^'^i^' ^) < ^f'^- 

Now, splitting the left-hand-side (LHS) of (15) into summations over R' and R'\R, we have 
LHS = Pr[s',w'] |Pr[r^-'.=./(w') = 1]- Pr[y^'="+° (w') = 1]| 

+ Y Pr[s,w]\ Pr[Y'^''^'i {w) = 1] - Pr[Y"''"+" (w) = 1] | . 

s,weR\R' 

By (16) and the fact that iPrlY'^'-'-f (w) = 1] - Pr[F^'="+o (w) = 1]| < 1 (because it contains probability 
terms), we have 

LHS < ((5/2) Y Pr[s\w']+ ^ Pr[s,w]{l), 

s',w'eR' s,w£R\R' 

= ((5/2)(l- PrhM)+ Y P^i^^M- 

s,w&R\R' s,w£R\R' 

Since we had 6 < our original LHS from (15), this implies 

6 < (6/2) + {1-6/2) Y ^^[^'^]' 

s.weR\R' 

Y Pr[s,w]>6/2, 

s,weR\R' 

which contradicts our initial assumption about the set i?'. So, by contradiction. Lemma 2 is true. □ 
Theorem 3: Reduction From Distinguishing ^s,£,/ and Ukn+D To Forging NLHB Protocol 
in Passive Model. 

If Adv^^^^^"'^^"''^^ {k,e,u, f) ~ 6 is non-negligible for some polynomial time adversary Z, then the UNLD 
problem can be efficiently solved. 

Algorithm for Theorem 3: Given access to Z which takes q bitstrings of Ag^ej and runs in time t 
and forges the NLHB protocol with a passive attack, we construct an algorithm Y that takes q + 1 bit- 
strings from As.e.f, and can distinguish between strings drawn from Ukn+D and ^s,e,/- Y works like this. 

1. Y has access to bitstrings from either ^s,e,/ or Ukn+D- 

2. Y draws q strings (A^, Zi)f^Q from this distribution. This is passed on to Z. 

3. Now Y obtains another sample pair (A, z) from the distribution (the first kn bits of the bitstring drawn 
will represent A in case of either input distribution) and challenges Z with A. Let the received response 
be z'. 

4. Y outputs 1 if z and z' differ by atmost u' = e"D, i.e if (i(z',z) < u', where e" is some constant such 
that e' - 2ee' + e<t" <\. 
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Analysis of the algorithm: If Y's input distribution is Ukn+D, tlie probability that Y outputs 1 is 
= J2^=o Since e" < .5, Pui^) is negligible if D is large enough. 

Let z* = f{sA). Let w and e be error vectors corresponding to z' and z, i.e z' = z* + w and z = z* + e. 
Then, d{z' , z*) < u implies that wt(w) < u and d{z' , z) < u' implies that wt(w + e) < u'. 

Consider the conditional probability Pr[(i(z', z) < u' \ d{z' , z*) < u] = Pr[wt(w + e) < u' \ wt(w) < u]. 
It is possible to show that 



Pr[wt(w + e) < u \ wt(w) < u] > Pr[wt(w + e) < m' | wt(w) = u] 



(17) 



We give a proof for (17) at the end of this proof. We will now consider the right-hand-side of (17) and 
prove that it is negligibly close to 1. The conditional expectation of wt(w + e) given wt(w) = u is given by 

E [wt(w + e) I wt{w) =u]= u.{l - e) + (D - u)e 

= (e' - 2ee' + e)D 

Since e" > e' — 2ee' + e, we see that the following Chernoff bound holds: 

cxp(/iZ\) 



Pr[wt(w + e) > (1 4- A)^i \ wt(w) = m] < 



(1 + Zl)(i+-4)A' ) ' 



where n = {e' — 2ee' -I- e)D is the mean of the random variable wt(w + e) given that wt(w) = u, (1 -|- A)^ = 
e"-D, which imply that A 
So we have 



e'-2ee'-|-e 



Pr[wt(w + e) < w' I wt(w) < w] 
> Pr[wt(w + e) < m' I wt(vkr) =u]> 



1 - 



exp(/^Z\) 
(1 + Z\)(i+^)A' 



We also know that Pr[wt(w + e) < u'] = Pr[wt(w + e) < it' | wt(w) < u]Pr[wt(w) < u]. By the definition 
of the NLHB forger Z, we know that Pr[rf(z',z*) = wt(w) < u] > {S + Pfa), where Pp^ denotes the 
probability of success of an attacker who responds with a random response (Pfa is known to be negligibly 
small at high D). So, we have 



Pr[wt(w + e) < u'] >{6 + Pfa) 



1 - 



exp(/iZ\) 



(1 + z\)(i+-^)a' 

Consequently, the difference in the probabilities of Y outputting 1 for the two distributions is at least 



(18) 



(S + Pfa) 



cxjp(fiA) 

(TT^j(T+^ 



E 

1=0 



D 



(19) 



Using suitable protocol parameters D,e,e' (say. D ~ 1000, e = .25, e' ~ .348 [2]), we see that the value in 
(19) is negligibly close to S. This proves that Y can be constructed from Z. □ 
Proof For (17) : We see that (by applying Bayes rule) 

„ r / N / , / N 1 „ r / N , / N /I Pr[wt(w + e) < u'] 
Pr[wt(w + e) < u' I wt(vi^) < u] = Pr[wt(w) < u I wt(w + e) < u']- ^ ^ J- i 



Pr[wt(w) < 



Pr[wt(w) = i I wt(w + e) < u'] 



Pr[wt(vif + e) < u'] 



i=0 



Pr[wt(w) < 
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Applying Bayes Rule again, the above expression reduces to 

Pr[wt(w + e) < u' I wt(w) < u] = ^Pr[wt(w + e) < u' | wt(w) = i] p ~ ■ 

The random variable wt(vir + e) | wt(w) = i is the sum of the bits of wt(w + e) and has a mean = 
(1 — e)i + {D — i)£. Since the bits of (w + e) arc independent, (wt(w + e) | wt(w) ~ i) ^ N{fii,a'^), 
where = De{l — e). So, the probability Pr[wt(w + e) < u' | wt(w) = i] can be given by the Cumulative 

Distribution Function (CDF) [1 - Q (ii-^)] where the function Q{.) is the tail-probability of N{0,1) 



defined as Q{a) = e ^2 dx. Since Q-function is a decreasing function, and //^ > /ii-i, Pr[wt(w + 

e) < u' I wt(w) = i] is a decreasing function of i. So, we have 

Prfwtfw + e) < u' I wt(w) < u] > Pr[wt(w + e) < u' I wt(w) = u] V P''[^t(w) - i] ^ 

^—^ Pr[wt(w) < u\ 

This implies that 

Pr[wt(vif + e) < u' I wt(w) < u] > Pr[wt(w + e) < u' \ wt(w) = u]. (20) 

□ 

From Theorems 1 to 3, we can see that, if UNLD is hard, then it is hard to forge a Prover of the NLHB 
protocol in polynomial-time, making NLHB computationally secure in the passive attack model. 



B Security Proof For NLHB+ In DET Model: 

Theorem 4: Reduction Prom UNLD Problem To Active Attack on NLHB^: If for some polynomial- 
time adversary Z^, Adv^^^^ ''**'"^'^(A;, e, m, /) ^ 6 is non-negligible, the UNLD problem can be efficiently 
solved. 



To prove this, we show how to build the algorithm Y that can differentiate between distributions Unk+D 
and As^^^j (for secret Si) using access to a NLHB+ adversary Z^^ inthe "DET" model. This proof strategy 
is based on [8]. 



Algorithm for Y: 

1. Y chooses S2 at random from {0, 1}''. During the query phase of Z+, Y draws the bitstring {B,z) 
(as usual, irrespective of the input distribution, the first kn bits will form B) from its unknown input 
distribution {Ukn+D or Ag^.e./) and passes B to Z+. Z+ replies with challenge A. In response, Y sends 
z = z-\- /(s2^) to Z+. This is repeated q times. 

2. In its challenge phase, sends a matrix B as blinding matrix to Y . Y challenges Z^ with random 
matrix A^^^ and receives response z*^-*-^ from Z+. Now, Y rewinds Z+ and challenges it with another 
random matrix A*^^^ and receives z*-^) in response. 

3. Let z® = z(i) + z(2). Further, let z = /(saA^^^) + /(sa^^^^). Y outputs 1 if z® and z differ in fewer 
than u' = eiD entries, (ei to be defined). 

Analysis of the Algorithm: When y's input is Ukn+D, z is uniformly distributed. Hence z = z + /(s2^) 
is also uniformly distributed and independent of S2. So no information about S2 reaches in the query 
phase. This means that, as far as Z+ is concerned, z is uniformly distributed in the random code C = 
{/(saA^i)) + /(S2A(2))}^^. Now, we show that Pr[(i(z®,z) < eiD] is negligibly small for large D. 
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Consider the Hamming Ball B of radius eiD centred at z®. Let X be the number of codewords of C 
present in this Hamming Ball. When the matrices A^^^ and A^^' are picked, they are picked uniformly at 
random. This means, because of Property 3 of / (uniform inputs uniform outputs), the vectors in code 
C form a random code. We now apply the Markov Inequality on X. 

Pr[X>p]<&, (21) 
P 

where E{X) is the mean of X. Now consider Pr[(i(z®,z) > eiD]. We see that 

Pr[d(z®,z) > eiD] = Pr[(i(z®,z) > eiD \ X < p]Pi-[X < p] + Pr[d(z® , z) > eiD \ X > p]Pt[X > p] 

> Pr[rf(z® , z) > eiD\X < p]Pr[X < p] (22) 

Consider Pr[(i(z®,z) > eiD \ X < p]. This can be written as 

Pr[d(z®,z) > eiD \ X < p] = Pr[X < p \ d(z®,z) > eiof^^'^^^'^'^^ ^ '^^^ 



Pr[X < p] 

V^Ti rx^ • I J/ ffi ^,Pr[d(z®,z) > e 

^ Pr[X < p] 

gprKz®,z)>.,I5|X = .]|l|f^. 



Notice that the quantity Pr[c?(z®, z) > eiD \ X = i] will decrease with increase in i. This is because, with 
more codewords of C within the Hamming ball B, the higher is the chance that z lies within the Hamming 
Ball B, and so. higher is the chance that the distance between z and z® is within eiD. So, we can write 



PrKz®,z) >e^D\X<p] > |^PrKz®,z) > e,D \ X =p]|^|^^, 

= Pr[d(z®,z) >eiD\X =p]. 



So, we have from (22) that 

Pr[d(z®,z) > eiD] > Pr[d(z®,z) > eiD \ X < p]Pt[X < p], 
> Pr[d(z®,z) >eiD\X = p]Pr[X < p], 

= Pr[z B I X = p]Pt[X < p]. (23) 

We know from the Markov inequality in (21), that Pt[X < p] is lower bounded by ^1 — ■^^^) • "^^^ mean 

number of codewords from C, which are part of the Hamming Ball B is given by E{X) = 2'^. So 

(23) becomes 

PrKz®,z) > eiZ?] > (^1 - ^. (24) 

Out of the 2*^ codewords of C, the probability that z is one of the p codewords in B is given by So, 
the probability that z does not belong to the Hamming ball B when it is known that B has exactly p 
codewords of C, is given by (l — ^). So, 

PrKz®,z)>eii?]>(l-^^ I""!' 
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Pickp = 23'=/4, say. Then 



PrKz®,z) > eiD] > (l - 2-'=/'^) (l- I B I S*"-") . 

We notice that | B |, the number of vectors in a Hamming Ball of radius ciD is given by | S |= J^ll^ (^)- 
So, 

Pr[d(z®,z) >ei7^] > (1-2-^/1) 1-2*-^^ 

\ i=0 

Since ei < i. this bound tends to 1 asymptotically with D. So, the probability Pr[d(z®, z) < eiD] becomes 
negligibly small. So, in case the input distribution to Y is Ukn+D, the probability of Y outputting 1 is 
negligible. 

When y's input distribution is Ag^^^j for randomly chosen Si, Y perfectly simulates the NLHB"'' pro- 
tocol to Z+ during the query phase. Let w denote the randomness involved in simulating the query phase 
of Z+, which includes Z+'s randomness, the randomness in choosing (si,S2), and the randomness in re- 
sponding to Z+'s queries. Let (Sw + Pfa) be the probability that Z+ successfully impersonates the Prover 
in second phase when the randomness is w. Then Z+ correctly replies to both queries A'^^^ and A'^-* with 
probability (Siu + PfaY ■ The overall probability that Z+ successfully responds to both sets of queries is 

E,„(((5^ + Pfa?) > (E^(<5^„ + Pfa)^ = {S + Pfa? (25) 

using Jensen's inequality and denotes expectation over w. Conditioned on this event, we show that for 
an appropriate ei, z® and z differ by fewer than u' entries with a constant probability (proven below). So 
Y outputs 1 with probability Q{{5 -\- PfaY), which implies that Y can distinguish Ukn+D and As^.ej with 
non-negligible probability. This concludes the proof of Theorem 4. □ 
Pf. for z® and z differing by < u' entries: Set ^ > ei > ^(1 — (1 — 2e')^). Fixing all randomness, 
let fz+ denote the mapping that the adversary does from a challenge matrix A to the response z in the 
second phase. Since we are looking at the process after B has been fixed, B is not an argument to the 
function fz+. Let /correct denote f{siA) + f{s2B). Define A{A) = fz+{A) + fcorrect{A). We say that A is 
a good query matrix if wt(Z\(A)) < u, i.e if successfully impersonates the Prover for that matrix. Let 
D/i denote the distribution of A{A) over all good query matrices. Note that by definition, for all A{A) in 
Da, wt{A{A)) < u. 

Let = Z\(.4(i)) and Zi^^) ^ /\(^(2)). Then, 

Z\(l)+Z\(2) ^ fzM'^)+fzM^^^) + fcorrect{A^'^) + fcorrect{A^^^). 
Using fcorrect{A^^^) + fcorrect{A^^^) = /(sa^^^^) + 7(82^(2)) = z and /z+(A(1)) + fzM^^'^) = ' SCC 

that d(Z\(^), Z\(2)) < u' whenever d(z®,z) < u' . We now analyse the probability that d(A^^\ A^'^'>) < u' . 

Using arguments based on the Johnson bound as in [8], we can show that Pr[d{A^^\ A'^^^) < u'] > 
where c ^■r^g''" +1, (Seps = 1 ^ 2ei and 7 = 1 — 2e'. So Y outputs 1 with probability at least -^{5 + Pfa? 
when the input distribution is As-^^ej- n 

So, the difference in probabilities of Y in the profF of Theorem 4 outputting a 1 for the two distributions 
^si,e,/ and Ukn+D is at least 

+ Pfa?) - 2-/4 _ g ^ + 2^- g ^ . (26) 

i=0 ^ ^ i=0 ^ / 
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We see that this difference in probabihties tends to the non-neghgible quantity -^S^ asymptotically with 
D (and for fixed reasonably large fc). 

Thus Theorems 2 and 4 together show a reduction from the UNLD problem to the problem of active 
attack on NLHB+ protocol. Since the UNLD problem is known to be hard now, the active attack problem 
is also hard. 

C Proof For Uniformity of Function / 

Theorem :/ is a Balanced Function: If the input to the function / is uniformly distributed, so is its 
output. 

Proof We first prove that each bit of the output is balanced. For this, we consider Pr[j/i = 1]. 

Pr[j/j = 1] = VT{xi + .g(a;i+i,...,Xi+p) = 1], 

= ipr [g(a;j+i, ...,Xi+p) = 1 | = 0] + ^Pr [^(xi+i, x^+p) = | = 1] . 

Since the input vector is uniform, the bits of x arc independent. So, this is equal to 
= ^Pr [5(2:^+1, •■•,2;i+p) = 1] + ipr[g(a;,+i,...,a;j+p) = 0], 

= \ (27) 

So each bit of the output is balanced. Now, we use this to prove our theorem. To this end, we first define 
the following vectors. Let y' = .., y/j] be the vector containing the last i bits of y. So y° = y. Let 

a = [ai,...,a£i] be an arbitrary constant D-bit vector. We also define a' = [a£)_i+i, .., a^)] similar to y'. 
Now consider the probability Pr[y' = a']. 

Pr[y' = a'] = Pr[y' = a' | XD-^^^ = 0]Pr[2;z3_,+i = 0] 

+Pr[y' = a' | XD-^+l = l]PT[xD-^+l = 1]. 

Since the input is uniformly distributed, this is equal to 

= ipr[y' = a' | XD-^+l = 0] + ipr[y' = a' | xd-,+i = 1], 

= ^Pr[g{xD-i+2, ■■■,XD-i+p+i) = az5-j+i,y'"^ = a'"^ \xD-i+i =0], 

+ ^Pi[g{xD^i+2, ■.■,XD-i+p+i) = ao-t+i + l,y'"^ = a'"^ | xo-i+i = !]• 

(28) 

We point out that in the vector y', only the bit yo-i+i is dependent on xo^i^i. Since both 

(7(x£)_i-f2, XD-i+p+i) and y'^"*" are independent of XD-i+i, we can remove the conditioning from the 

above equation. So the above expression becomes, 

i {Pr[g{xD-i+2, --iXD-i+p+i) = aLi-,+i,y'"^ = a'"^] 

+Vr[g{xD-i+2, XD-i+p+i) = ao-i+i + 1, y'"^ = a'"^] ) . 

(29) 
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Now g(.T£)_,;+2, ■■■,XD-i+p+i) takes binary values and 1. So, by summing the joint probability of 
g{xD-i+2, ■■■,XD-i+p+i) and y'^"*" over these values, we are effectively finding the marginal probability of 
y'^-*-. So, from the expressions in Eqn. 2 and 3, we have 

Pr[y' = a'] = i (Pr[y'-i = a'-^]) . (30) 

Plugging i = _D in the above equation, and expanding, we have 

Pr[y° = a°] = i (Pr[y°-^ = a°-^]) 



2D 

1 

2D 



^ - (Pr[yi = a^]) = (Pr[yz3 = ao] 



from (27). Since this proof holds for any a', the output of / is uniformly distributed. 



(31) 



D Notations 



— All vectors arc denoted in bold letters. Scalars are denoted in normal text. 

— ]0, ^[ denotes open- interval from to ^. 

— {0, 1}^ denotes the space of all binary vectors of length x. 

— {0, ly^^y denotes the space of all binary matrices of size x x y. 

— wt(x) denotes the Hamming weight of the binary vector x. This is equal to the number of non-zero 
entries in x. 

— (i(x, y) denotes the Hamming distance between binary vectors x and y. This is equal to the number of 
places where x and y differ. 

— GF{2) denotes Galois Field with two entries. 

— In this paper, -I- is used to denote XOR addition which is the addition over GF{2). 

— (^) = fcj^^lfc-)! , where n\ denotes factorial. 

— U<— denotes " picked uniformly at random from" . 

— When a distribution is superscripted over an algorithm, (for e.g. X^) this means that the algorithm 
X has input following the distribution A. 

— As.t.f denotes the distribution followed by the (fcn -I- £')-lcngth bitstrings that form the transcript of 
one authentication session between honest NLHB provcr and verifier, for a shared secret s. 

~ Ukn+D denotes the distribution of uniformly distributed (/cn + £')-lcngth bitstrings. 

— For a set R and its subset R' C i?, R\R' denotes the set containing all the elements in R that are not 
in R'. 
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